Apple users left exposed to serious threats for weeks, former employee says

A noted whitehat hacker who spent more than a year on Apple's security team has dealt her former employer some blistering criticism for fixing critical vulnerabilities in iOS three weeks after they became widely known to blackhats.

Kristin Paget, who recently took a security position at a major car manufacturer, took to her private blog Wednesday and catalogued more than a dozen separate security bugs that were patched in Tuesday's release of iOS 7.1.1. Some of them gave attackers the ability to surreptitiously execute malicious code on iPhones and iPads without requiring much or any interaction from end users. Paget noted that 16 of the vulnerabilities addressed had been fixed three weeks earlier in a separate update for OS X users. Such delays give malicious hackers the opportunity to reverse engineer the fixes for one platform and develop potent exploits to use against the same bugs surviving in unpatched platforms, security researchers have long charged.

"Apparently someone needs to sit Apple in front of a chalkboard and make them write out 100 lines: 'I will not use iOS to drop 0day on OS X, nor use OS X to drop 0day on iOS,'" Paget wrote in Wednesday's blog post. Addressing Apple officials directly, Paget continued:

Is this how you do business? Drop a patch for one product that quite literally lists out, in order, the security vulnerabilities in your platform, and then fail to patch those weaknesses on your other range of products for *weeks* afterwards? You really don’t see anything wrong with this?

Someone tell me I’m not crazy here. Apple preaches the virtues of having the same kernel (and a bunch of other operating system goop) shared between two platforms—but then only patches those platforms one at a time, leaving the entire userbase of the other platform exposed to known security vulnerabilities for weeks at a time?

Paget—who has also been employed by Google and eBay—called on readers to cross-check previous iOS and OS X security updates to see if they also showed long lapses between the time when critical vulnerabilities are fixed on one platform and when they're repaired on the other.

So while it's fair to say that Apple shouldn't drop 0-days on its mobile users each time it updates its desktop OS (or vice versa), substantially the same criticism can also be levelled at the #1 and #3 smartphone vendors too.

I think what makes it seem egregious is that Apple develops both OSes (same goes for Microsoft with Windows of course). They can surely coordinate the release of patches to avoid this obvious problem.